SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/
It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.
PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.
Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.
Quote:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
> STATUS: UNKNOWN
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO * Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: UNKNOWN (couldn't find your kernel image)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
I do not know why not see my /boot/vmlinuz in variant 1 check ?
Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.
I do not know why not see my /boot/vmlinuz in variant 1 check ?
Thanks, after a slight modification in script, I got:
Code:
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 4.4.110 #1 SMP Fri Jan 5 22:17:16 CET 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 53 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Script modification (added XXX to temp file template name)
@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/
It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.
PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.
Yikes !
Not only am I old and set in my ways, but I am old and forgetful too !
although 4.15 is not yet LTS it is being worked on for Meltdown.
4.15 won't be an LTS kernel. It will become the latest stable, but that will be supplanted by 4.16 and then 4.17 and on. Non-LTS kernels are usually only supported for around 3 months before they EOL them and expect users to move to the next stable kernel.
LTS kernels are specifically selected to have a longer than normal life of updates -- now up to six years of updates, but only 4.4 and 4.14 will have that 6 years. 4.9 was stuck with the old LTS policy of updates for 2 years. We don't know what kernels will be LTS kernels until it is announced by a kernel developer, usually Greg Kroah-Hartman.
I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.
I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.
bassmadrigal --
The 4.1 Kernel is maintained by Sasha Levin and maybe there is more foundation code to back-port into 4.1 than 4.4, etc ???
Just guessing ...
-- kjh
From the 4.1.48 ChangeLog:
Code:
commit 0199619b21f7320482e8a2db14cf8bc974a7766a
Author: Sasha Levin <alexander.levin@verizon.com>
Date: Tue Dec 12 10:21:44 2017 -0500
Linux 4.1.48
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.
@keefaz I've tried to use that script and the first test is always failing as "couldn't find your kernel image in /boot,.."
My kernel responds to uname -r as '4.4.106-ba'. I saw where you suggested modifying line 113 of the script, but I've tried that and actually gone to a full 10 X's and it still doesn't recognize the kernel. The /boot/vmlinuz is a symlink to vmlinuz-custom-4.4.106 image on my machine. Any suggestions? Thanks
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.
Actually it would be great to have this on the docs.slackware.com page as "How to upgrade Intel microcode". Then future questions on LQ could be referenced to that article. I know @AlienBob also has a blog and he too has some nice write-ups but I believe this subject to be outside just the LiveSlak interest group.
Since the intent of this article was to guide me on how to properly upgrade Intel microcode, please move issues of latest kernel to that thread and issues of how to address Meltdown or Spectre to the Slackware security thread. Sorry about hi-jacking my own thread with the earlyier "PS about LTS support for Meltdown and Spectre" ouch. Maybe the test script suggestion could also be moved there please!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
